-
Language:
English
-
Language:
English
Red Hat Training
A Red Hat training course is available for JBoss Enterprise Application Platform Common Criteria Certification
Chapter 8. Authorization
Authorization relates to the type of component you want to protect, rather than the layer it resides in.
A security domain does not explicitly require an authorization policy. If an authorization policy is not specified, the default
jboss-web-policy and jboss-ejb-policy authorization configured in jboss-as/server/$PROFILE/deploy/security/security-policies-jboss-beans.xml is used.
If you do choose to specify an authorization policy, or create a custom deployment descriptor file with a valid authorization policy, these settings override the default settings in
security-policies-jboss-beans.xml.
Users can provide authorization policies that implement custom behavior. Configuring custom behavior allows authorization control stacks to be pluggable for a particular component, overriding the default authorization contained in
jboss.xml (for EJBs) and jboss-web.xml (for WAR).
Overriding the default authorization for EJB or Web components is provided for Java Authorization Contract for Containers (JACC) and Extensible Access Control Markup Language (XACML), apart from the default modules that implement the specification behavior.
Refer to Section 6.2, “<authorization>” for information about the <authorization> element schema.
Procedure 8.1. Set authorization policies for all EJB and WAR components
You can override authorization for all EJBs and Web components, or for a particular component.
This procedure describes how to define JACC authorization control for all EJB and WAR components. The example defines application policy modules for Web and EJB applications:
jboss-web-policy, and jboss-ejb-policy.
Open the security policy bean
Navigate to$JBOSS_HOME/server/$PROFILE/deploy/securityOpen thesecurity-policies-jboss-beans.xmlfile.By default, thesecurity-policies-jboss-beans.xmlfile contains the configuration in Example 8.1, “security-policies-jboss-beans.xml”.Example 8.1. security-policies-jboss-beans.xml
<?xml version="1.0" encoding="UTF-8"?> <deployment xmlns="urn:jboss:bean-deployer:2.0"> <application-policy xmlns="urn:jboss:security-beans:1.0" name="jboss-web-policy" extends="other"> <authorization> <policy-module code="org.jboss.security.authorization.modules.DelegatingAuthorizationModule" flag="required"/> </authorization> </application-policy> <application-policy xmlns="urn:jboss:security-beans:1.0" name="jboss-ejb-policy" extends="other"> <authorization> <policy-module code="org.jboss.security.authorization.modules.DelegatingAuthorizationModule" flag="required"/> </authorization> </application-policy> </deployment>Change the application-policy definitions
To set a single authorization policy for each component using JACC, amend each<policy-module>codeattribute with the name of the JACC authorization module.<?xml version="1.0" encoding="UTF-8"?> <deployment xmlns="urn:jboss:bean-deployer:2.0"> <application-policy xmlns="urn:jboss:security-beans:1.0" name="jboss-web-policy" extends="other"> <authorization> <policy-module code="org.jboss.security.authorization.modules.JACCAuthorizationModule" flag="required"/> </authorization> </application-policy> <application-policy xmlns="urn:jboss:security-beans:1.0" name="jboss-ejb-policy" extends="other"> <authorization> <policy-module code="org.jboss.security.authorization.modules.JACCAuthorizationModule" flag="required"/> </authorization> </application-policy> <application-policy xmlns="urn:jboss:security-beans:1.0" name="jacc-test" extends="other"> <authorization> <policy-module code="org.jboss.security.authorization.modules.JACCAuthorizationModule" flag="required"/> </authorization> </application-policy> </deployment>Restart server
You have now configured thesecurity-policy-jboss-beans.xmlfile with JACC authorization enabled for each application policy.Restart the server to ensure the new security policy takes effect.
Setting authorization for specific EJB and WEB components
If applications require more granular security policies, you can declare multiple authorization security policies for each application policy. New security domains can inherit base settings from another security domains, and override specific settings such as the authorization policy module.
Procedure 8.2. Set authorization policies for specific security domains
You can override authorization for a particular component.
This procedure describes how to inherit settings from other security domain definitions, and specify different authorization policies per security domain.
In this procedure, two security domains are defined. The
test-domain security domain uses the UsersRolesLoginModule login module and uses JACC authorization. The test-domain-inherited security domain inherits the login module information from test-domain, and specifies XACML authorization must be used.
Open the security policy
You can specify the security domain settings in thejboss-as/server/$PROFILE/conf/login-config.xmlfile, or create a deployment descriptor file containing the settings. Choose the deployment descriptor if you want to package the security domain settings with your application.Locate and open login-config.xml
Navigate to thelogin-config.xmlfile for the server profile you are using and open the file for editing.$JBOSS_HOME/jboss-as/server/$PROFILE/conf/login-config.xmlCreate a jboss-beans.xml descriptor
Create a[prefix]-jboss-beans.xmldescriptor, replacing [prefix] with a meaningful name (for example,test-war-jboss-beans.xml)Save this file in the/deploydirectory of the server profile you are configuring.jboss-as/server/$PROFILE/deploy/[prefix]-jboss-beans.xml
Specify the test-domain security domain
In the target file chosen in step 1, specify thetest-domainsecurity domain. This domain contains the authentication information, including the <login-module> definition, and the JACC authorization policy module definition.<?xml version="1.0" encoding="UTF-8"?> <deployment xmlns="urn:jboss:bean-deployer:2.0"> <application-policy xmlns="urn:jboss:security-beans:1.0" name="test-domain"> <authentication> <login-module code = "org.jboss.security.auth.spi.UsersRolesLoginModule" flag = "required"> <module-option name = "unauthenticatedIdentity">anonymous</module-option> <module-option name="usersProperties">u.properties</module-option> <module-option name="rolesProperties">r.properties</module-option> </login-module> </authentication> <authorization> <policy-module code="org.jboss.security.authorization.modules.JACCAuthorizationModule" flag="required"/> </authorization> </application-policy> </deployment>Append the test-domain-inherited security domain
Append thetest-domain-inheritedapplication policy definition after thetest-domainapplication policy.Set theextendsattribute toother, so the login module information is inherited.Specify the XACML authorization module in the<policy-module>element.<?xml version="1.0" encoding="UTF-8"?> <deployment xmlns="urn:jboss:bean-deployer:2.0"> <application-policy xmlns="urn:jboss:security-beans:1.0" name="test-domain"> <authentication> <login-module code = "org.jboss.security.auth.spi.UsersRolesLoginModule" flag = "required"> <module-option name = "unauthenticatedIdentity">anonymous</module-option> <module-option name="usersProperties">u.properties</module-option> <module-option name="rolesProperties">r.properties</module-option> </login-module> </authentication> <authorization> <policy-module code="org.jboss.security.authorization.modules.JACCAuthorizationModule" flag="required"/> </authorization> </application-policy> <application-policy xmlns="urn:jboss:security-beans:1.0" name="test-domain-inherited" extends="other"> <authorization> <policy-module code="org.jboss.security.authorization.modules.XACMLAuthorizationModule" flag="required"/> </authorization> </application-policy> </deployment>Restart server
You have now configured the target file with two security domains that use different authorization methods.Restart the server to ensure the new security policy takes effect.
8.1. Module Delegation
Procedure 8.1, “Set authorization policies for all EJB and WAR components” and Procedure 8.2, “Set authorization policies for specific security domains ” describe simplistic examples that show how basic authentication can be configured in security domains.
Because authorization relates to the type of component (not the layer) you want to protect, you can use authorization module delegation within a deployment descriptor (
*-jboss-beans.xml) to specify different authorization policies to the standard authentication in your implementation.
The
org.jboss.security.authorization.modules.AuthorizationModuleDelegate class provides a number of subclasses that allow you to implement module delegation:
AbstractJACCModuleDelegateWebPolicyModuleDelegateEJBPolicyModuleDelegateWebXACMLPolicyModuleDelegateWebJACCPolicyModuleDelegateEJBXACMLPolicyModuleDelegateEJBJACCPolicyModuleDelegate
You can create your own authorization delegation module, providing the module extends the
org.jboss.security.authorization.modules.AuthorizationModuleDelegate class.
To implement the delegation module, you declare the delegation modules within the <module-option> element of your <authorization> policy. Each module is prefixed with the component it relates to, as shown in Example 8.2, “Delegation Module Declaration”.
Example 8.2. Delegation Module Declaration
<application-policy xmlns="urn:jboss:security-beans:1.0" name="test-domain" extends="other">
<authorization>
<policy-module code="xxx.yyy.MyAuthorizationModule" flag="required">
<module-option name="delegateMap">web=xxx.yyy.mywebauthorizationdelegate,ejb=xxx.yyy.myejbauthorizationdelegate</module-option>
</policy-module>
</authorization>
</application-policy>